Inline and clarify the "Relaxing the Same-Origin Restriction" algorithm

Issue w3c#256 notes that it is "not clear whether [we] actually want the interaction with sandboxing that the document.domain setter has", nor "whether [we] actually want the behavior to be affected by previous `document.domain` sets". This patch offers a way to fix that, by: 1) Extracting the procedure from HTML51 into a forked algorithm 2) Adjusting said algorithm to operate on a Document's "original Domain" so as to be independent of previous `document.domain` set operations. 3) Keeping the sandboxing interactions, though I'm not entirely versed in whether there are problematic corner cases here. This spec necessarily adds normative reference to the PSL (which was transitively referenced via normative reference from HTML51 before), and also to the URL specification (also previously transitive from HTML51).
jcjones · Dec 20, 2016 · c9da403 · c9da403
1 parent d23f37e
commit c9da403
Showing 1 changed file with 53 additions and 8 deletions.
diff --git a/index.bs b/index.bs
@@ -47,10 +47,20 @@ spec: HTML51; urlPrefix: http://www.w3.org/TR/html51/; for: web
             text: opaque origin; url: opaque-origin; for:web
             text: tuple origin
             text: relaxing the same-origin restriction
+            text: domain; url: origin-domain
     type: dfn
         urlPrefix: webappapis.html;
             text: current settings object; for:web; url:current-settings-object
             text: Navigator; for: interface; url:the-navigator-object
+
+<!-- spec: HTML; urlPrefix: https://url.spec.whatwg.org/ -->
+spec: URL; urlPrefix: https://url.spec.whatwg.org/; for: url
+    type: dfn
+        text: host parser; url: concept-host-parser
+        text: domain; url: concept-domain
+        text: host; url: origin-host
+        text: IPv4 address; url: concept-ipv4
+        text: IPv6 address; url: concept-ipv6
 </pre>
 
 
@@ -397,9 +407,8 @@ When this method is invoked, the user agent MUST execute the following algorithm
     terminate this algorithm. Otherwise,
     - If {{ScopedCredentialOptions/rpId}} is not specified, then set |rpId| to |callerOrigin|, and |rpIdHash| to the SHA-256
         hash of |rpId|.
-    - If {{ScopedCredentialOptions/rpId}} is specified, then invoke the procedure used for <a>relaxing the same-origin
-        restriction</a> by setting the `document.domain` attribute, using {{ScopedCredentialOptions/rpId}} as the given value
-        but without changing the current document's `domain`. If no errors are thrown, set |rpId| to the value of `host` as
+    - If {{ScopedCredentialOptions/rpId}} is specified, then invoke the [[#algo-relax-same-origin-restriction]],
+        using {{ScopedCredentialOptions/rpId}}. If no errors are thrown, set |rpId| to the value of `host` as
         computed by this procedure, and |rpIdHash| to the SHA-256 hash of |rpId|. Otherwise, reject |promise| with a
         <a>DOMException</a> whose name is "SecurityError", and terminate this algorithm.
 
@@ -493,11 +502,10 @@ When this method is invoked, the user agent MUST execute the following algorithm
     terminate this algorithm. Otherwise,
     - If {{AssertionOptions/rpId}} is not specified, then set |rpId| to |callerOrigin|, and |rpIdHash| to the SHA-256
         hash of |rpId|.
-    - If {{AssertionOptions/rpId}} is specified, then invoke the procedure used for <a>relaxing the same-origin restriction</a>
-        by setting the `document.domain` attribute, using {{AssertionOptions/rpId}} as the given value but without changing the
-        current document's `domain`. If no errors are thrown, set |rpId| to the value of `host` as computed by this procedure,
-        and |rpIdHash| to the SHA-256 hash of |rpId|. Otherwise, reject |promise| with a <a>DOMException</a> whose name is
-        "SecurityError", and terminate this algorithm.
+    - If {{AssertionOptions/rpId}} is specified, then invoke the [[#algo-relax-same-origin-restriction]], using
+        {{AssertionOptions/rpId}} as the given value. If no errors are thrown, set |rpId| to the value of `host` as computed
+        by this procedure, and |rpIdHash| to the SHA-256 hash of |rpId|. Otherwise, reject |promise| with a <a>DOMException</a>
+        whose name is "SecurityError", and terminate this algorithm.
 
 4. If {{AssertionOptions/extensions}} was specified, process any extensions supported by this client platform, to produce the
     extension data that needs to be sent to the authenticator. If an error is encountered while processing an extension, skip
@@ -1508,7 +1516,38 @@ used to help facilitate isolating problems with a specific version of a device.
 If the attestation root certificate is not dedicated to a single WebAuthn Authenticator device line (i.e., AAGUID), the AAGUID
 should be specified in the attestation certificate itself, so that it can be verified against the <a>authenticatorData</a>.
 
+## Algorithm to Relax the Same-Origin Restriction ## {#algo-relax-same-origin-restriction}
+
+The same-origin policy prevents web applications from interacting, unless they both have the same origin. HTML5, via
+the `document.domain` attribute, permits "relaxing" this same-origin restriction under certain circumstances. This
+algorithm implements a similar procedure that of setting the `document.domain` attribute from [[!HTML51]], but without
+modifying the <a>Document</a> object:
+
+1. If this <a>Document</a> object has no browsing context, throw a "SecurityError" <a>DOMException</a>.
+2. If this <a>Document</a> object’s active sandboxing flag set has its <a>sandboxed `document.domain` browsing context
+    flag</a> set, then throw a "SecurityError" <a>DOMException</a>.
+3. If the given value is the empty string, then throw a "SecurityError" <a>DOMException</a>.
+4. Let |host| be the result of parsing the given value.
+5. If |host| is failure, then throw a "SecurityError" <a>DOMException</a>.
+6. Let |originalDomain| be this <a>Document</a> object’s <a link-for='web'>origin</a>’s original <a link-for='web'>`domain`</a>,
+    assigned when the <a>Document</a> is created.
+
+    Note: The |originalDomain| should not be affected by prior calls to the <a>Document</a> object’s
+     <a link-for='web'>`domain`</a> setter.
 
+7. If |host| is not <a link-for='url'>equal</a> to |originalDomain|, then run these substeps:
+    1. If |host| or |originalDomain| is not a <a link-for='url'>`domain`</a>, then throw a "SecurityError" <a>DOMException</a>.
+
+    Note: This is meant to exclude <a link-for='url'>hosts</a> that are an <a link-for='url'>IPv4 address</a> or an
+     <a link-for='url'>IPv6 address</a>.
+
+    2. If |host|, prefixed by a U+002E FULL STOP (.), does not exactly match the end of |originalDomain|, then throw a
+        "SecurityError" <a>DOMException</a>.
+    3. If |host| matches a suffix in the Public Suffix List, or, if |host|, prefixed by a U+002E FULL STOP (.), matches the
+        end of a suffix in the Public Suffix List, then throw a "SecurityError" <a>DOMException</a>. [[!PSL]]
+
+        Suffixes must be compared after applying the <a link-for='url'>host parser</a> algorithm.
+8. Return |host|.
 
 # Defined Attestation Formats # {#defined-attestation-formats}
 
@@ -2659,6 +2698,12 @@ Brad Hill, Jing Jin, Anne van Kesteren, Giridhar Mandyam, Axel Nennker, Yaron Sh
     "status": "FIDO Alliance Proposed Standard"
   },
 
+  "PSL": {
+    "title": "Public Suffix List",
+    "publisher": "Mozilla Foundation",
+    "href": "https://publicsuffix.org/"
+  },
+
   "TPMv1-2-Part2": {
     "title": "TPM Main Part 2: TPM Structures",
     "publisher": "Trusted Computing Group",